[gentoo-dev] Manifest signing advice: use gpg-agent!

[gentoo-dev] Manifest signing advice: use gpg-agent!

[Tom Martin]

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

Hiya guys,

As many devs are starting to GPG sign Manifests with repoman, there have been
inevitable problems with people putting their passphrase into the commit message. I've
*nearly* hit the return key on it a few times, and a certain other developer did
actually post their passphrase as a commit message. This, more than anything else, is a
real PITA and at least -fairly- embarassing...

In my opinion, it is a Very Good Thing to use a program such as quintuple-agent or
gpg-agent to keep your passphrase in protected memory to avoid such problems, if you
aren't doing so already.

app-crypt/newpg for gpg-agent
app-crypt/quintuple-agent for... err... quintuple-agent

Happy signing,
Tom

-- 
Tom Martin
Gentoo Linux AMD64 and net-mail developer

GPG Public key available on pgp.mit.edu, 0xB5C4FF89
IRC: slarti` ~ irc.freenode.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Manifest signing advice: use gpg-agent!

[Nicholas Jones]

[-- Attachment #1: Type: text/plain, Size: 514 bytes --]

> people putting their passphrase into the commit message.

Ummmm... How exactly? The commit message isn't prompted if
you are using repoman. You get one prompt _before_ your
passphrase comes up. If you're doing that, then you really
need to slow down.

If you _DO_ manage to do this, be sure to invalidate your
keys and pass the new fingerprint onto devrel.

If there is an issue here that you feel can be resolved by
a different kind of prompt, please let dev-portage know via
a bug and we can get on it.

--NJ


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Manifest signing advice: use gpg-agent!

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 872 bytes --]

On Sat, Sep 04, 2004 at 11:34:48PM +0100, Tom Martin wrote:
> In my opinion, it is a Very Good Thing to use a program such as quintuple-agent or
> gpg-agent to keep your passphrase in protected memory to avoid such problems, if you
> aren't doing so already.
> 
> app-crypt/newpg for gpg-agent
- I'd love to have a CLI gpg-agent for use when I'm at home or on the
  road, but newpg forces the versions of dev-libs/libksba and
  dev-libs/libgcrypt to specific low versions that don't allow me to use
  recent versions of gnutls :-(.

> app-crypt/quintuple-agent for... err... quintuple-agent
- I use quintuple agent when at work.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Manifest signing advice: use gpg-agent!

[Mike Frysinger]

On Saturday 04 September 2004 06:34 pm, Tom Martin wrote:
> app-crypt/newpg for gpg-agent

actually, this is only if you're using the old gpg stuff

if you're using gpg-1.9.x, gpg-agent is bundled with it now
-mike

--
gentoo-dev@gentoo.org mailing list